CCT 047: CISSP Exam Questions (Domain 8)

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, all of you, sean Gerber, with CISSP Cyber Training and we are going to be doing CISSP exam questions for software development. Yeah, baby, domain eight of the CISSP exam. So it's exciting, super exciting. Yeah, i just did. I'm remote right now and I've made the mistake of not recording my podcast. I just talked for an hour. So, yeah, shoot me now. I'm like, oh my gosh, that was such a waste of time, but you know what It will be. You'll be ready for it when you get it. It's awesome. All right, so you guys don't care about that. You want to learn about CISSP exam questions. So let's get into question numero uno, number one which of the following is the most critical phase for integrating security in the software development lifecycle? Okay, so we're talking domain eight and we're talking software development. So which of the following is the most critical phase for integrating security in the software development lifecycle SDLC A requirements gathering, b design and architecture, c coding and implementation or D testing and quality assurance? Okay, so which of the following is most critical requirements gathering, design and architecture, coding and implementation, or D testing and quality assurance? The answer is B Right, i was almost going to say the wrong one, i just was, i don't know what I was thinking. It's B design and architecture. So design and architecture is the most critical for integrating security into the SDLC environment. It does lay the foundation for the entire software system and allows for security controls to be built into the design. Again, ensuring security is always considered from the beginning. Okay, question number two which of the following is an example of a static application security testing technique, or SAST? a penetration testing. B code review, c fuzz testing. D web application scanning? Again, which of the following is an example of a static application security testing technique SAST a penetration testing. B code review, c fuzz testing or D web application scan? And the answer is B code review. Okay, so SAST testing does involve reviewing the code source and the compile application without executing it. So code review is a common SAST technique And, again, it's very important for identifying vulnerabilities, coding errors and adherence to coding guidelines and policies, which we talked about in the podcast earlier. Question three in context with software security, what does the term OWASP stand for? Organization for web application security protocols, open web application security project, operating system, web application security procedures or online web application security platform. So what does the term OWASP stand for? I'm not going to read all those again, but you can see the video of it online. It is B open web application security project. Owasp is an open source project that was focused on improving security within software applications. Okay, so it provides resources, tools, guidelines all of that defined for specifically secure applications and finding security vulnerabilities. Question four which of the following is an example of a dynamic application security testing technique? DAST, which is a common example of DAST, so, again as Delta Alpha, sierra Tango, which is the following is a dynamic application security testing technique A threat modeling, b security code review, c vulnerability scanning. Or D secure code guidelines? Okay, which is an example of DAST? And the answer is C vulnerability scanning. So dynamic application security testing. Dast involves testing the application while it's running, okay, to find vulnerabilities. So vulnerability scanning is a common technique that searches out for no vulnerabilities of the application code, configurations and network interactions, and so, therefore, dast and vulnerability scanning work hand in hand. Question five which of the following is a key objective of the threat modeling in software security? DAST security vulnerabilities and software code assess the effectiveness of security controls. C evaluating the impact of the acquired software and security. And D identifying potential threats and their associated risks. So which is the following is the key objective of threat modeling in software security? The answer is D identifying potential threats and their associated risks. So threat modeling is a process for identifying potential threats and their associated risks in software applications, and it does help you understand the attack vectors, potential vulnerabilities and what are the potential impacts in the event that the threat was successful. Again, the answer is D identifying potential threats and the associated risks. Question six, which are the following is the characteristic of secure coding guidelines and standards? okay, a, they focus on preventing external attacks, that's A. B they're implementing during the testing phase of SDLC. C they're generic and not specific to programming languages or frameworks. Or D they provide recommendations for writing secure and robust code. Okay, so which of the following is a characteristic of secure coding guidelines and standards? Okay, so, that one can seem a little nebulous. So you have to kind of think about that a little bit. But A they focus on preventing external attacks, though they don't do that. They implement during. They are implemented during the testing phase of the SDLC. You'd want them more than on the testing phase. They are generic and not specific to programming. Okay, you don't want them necessarily to be generic. And D is they provide recommendations of writing secure and robust code. That would be your security coding guidelines and standards would be. Answer would be D. And they provide recommendations as for providing or for writing secure and robust code. They provide input, validation, authentication, access controls. All of those pieces are tied into that. Now. Now the cool part is is, if you have that already defined, you can have that set up in a, potentially in a CICV pipeline, and so you are good to go All right. Another question Which of the following activities is an integral part of integrating security into the software development lifecycle? A backup and recovery, b change management process, c user acceptance testing or D incident response planning. So which of the following is an integral part of integrating security into the software development lifecycle? Okay, so again, all of these can be valuable, but which one is an integral part of integrating security into software development. User acceptance testing C is a crucial activity in SDLC And it does ensure that the software meets the user's requirements and is functionally as expected. Okay, it allows stakeholders to validate the security controls and assess the effectiveness of the software security features Again, that's an important factor. So, depending on how you're answering the question, what is the most integral part? So when you're saying integral of integrating, you're dealing with user acceptance testing, uat, okay, so those are where the users actually go out and test and play with it. All right, hope you have a wonderful day. That's all I've got for today. Go check out at CISSP, stiver Training and you can check all these wonderful things and see if it meets your needs to pass the CISSP the first time. All right, have a great day. We'll catch you on the flip side, see ya.